diff options
author | Peter Wu <peter@lekensteyn.nl> | 2016-02-24 00:35:44 +0100 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2016-02-24 06:02:37 +0000 |
commit | e395633224fd448fd93af0450b812228192d3a1b (patch) | |
tree | c11502044c3a118886c4e2a87b65f1cb2b3d85fd /wiretap | |
parent | ec691a9e20effe7998c02b21d592059b8da00488 (diff) |
vwr: fix heap-based buffer overflow
Commit v1.99.10rc0-316-gf28e23f added some additional room for the 16
byte PLCP header and 1 byte L1P. These are however not part of the
remaining data, only the header.
Bug: 11795
Change-Id: Ia6935d27366a07f818f147c9094a801429b049e2
Reviewed-on: https://code.wireshark.org/review/12240
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'wiretap')
-rw-r--r-- | wiretap/vwr.c | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/wiretap/vwr.c b/wiretap/vwr.c index 846f0d5963..2a2107d9c0 100644 --- a/wiretap/vwr.c +++ b/wiretap/vwr.c @@ -1454,22 +1454,19 @@ static gboolean vwr_read_s2_s3_W_rec(vwr_t *vwr, struct wtap_pkthdr *phdr, } /* + * Fill up the per-packet header. + * * We also copy over 16 bytes of PLCP header + 1 byte of L1P for user * position. * * XXX - for S2, we don't have 16 bytes of PLCP header; do we have * the 1 byte of L1P? The current Veriwave dissector just blindly * assumes there's a 17-byte blob before the 802.11 header. - */ - actual_octets = actual_octets + 17; - - /* - * Fill up the per-packet header. * * We include the length of the metadata headers in the packet lengths. */ - phdr->len = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + actual_octets; - phdr->caplen = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + actual_octets; + phdr->len = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + 17 + actual_octets; + phdr->caplen = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + 17 + actual_octets; phdr->ts.secs = (time_t)s_sec; phdr->ts.nsecs = (int)(s_usec * 1000); |